Ntlm authentication doesn't work

collider · June 22, 2018, 10:41am

I’m making a request in postman to an api that uses ntlm authentication, but postman gives up after it receives the initial 401. It never attempts to send any credentials to the server.

This is what I see in fiddler:

Request:

GET [url] HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.1.5
Accept: /
Host: [host]
accept-encoding: gzip, deflate
Connection: keep-alive

Response:

HTTP/1.1 401 Unauthorized
Content-Length: 61
Content-Type: application/json; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate,NTLM
Date: Fri, 22 Jun 2018 10:25:40 GMT
Proxy-Support: Session-Based-Authentication

{“Message”:“Authorization has been denied for this request.”}

… and that’s it. Even though NTLM authentication is selected and I’ve entered my credentials, postman doesn’t make any attempt to send them. The url works fine in chrome, and I can see it’s successfully going through the ntlm authentication process after the initial 401.

This is using 6.1.3

postman-harryi3t · June 28, 2018, 5:44am

@collider This bug is being tracked here https://github.com/postmanlabs/postman-app-support/issues/4711
Will update the thread once we have a fix for it.

collider · June 28, 2018, 6:05am

I saw that bug but i get the same behaviour when the www-authenticate header in the response isn’t unified, so seemed different

postman-harryi3t · August 22, 2018, 8:22am

@collider Could you share the logs when the header is not unified?

abbasl · September 10, 2018, 11:12pm

I’m running into this same issue. Where can I find the logs? I’ll send you what I have.

postman-harryi3t · September 22, 2018, 4:29am

You can open the Postman console and then send the request having NTLM auth. There should be 3 requests logged in the console. Switch to the raw mode then copy everything and post it here

Here’s a screenshot on how it would look like

collider · November 13, 2018, 12:25pm

Sorry for the delay… I’ve had to replace the route and body with XXX, but this is the raw log details:

POST /api/XXX
accept: /
accept-encoding: gzip, deflate
content-length: 1096
content-type: application/json
host: 167.26.148.186:12188
user-agent: PostmanRuntime/7.3.0
{
XXX
}
HTTP/1.1 401
status: 401
content-length: 0
date: Tue, 13 Nov 2018 12:10:14 GMT
proxy-support: Session-Based-Authentication
server: Microsoft-HTTPAPI/2.0
www-authenticate: NTLM

It only makes this initial request and doesn’t attempt to respond to the server’s request for NTLM auth. However if I make the same request using a c# app and monitor in fiddler, i see it authenticating successfully using NTLM over 3 requests, so the issue seems unique to postman.

collider · November 13, 2018, 12:47pm

Actually nevermind, i just noticed that the ‘disable retrying the request’ flag was checked. It works after disabling this, as long as NTLM is the only www-authenticate value